AWS KMS-based Encryption is Now Available in Amazon SageMaker Training and Hosting
You can now encrypt your Amazon SageMaker storage volumes used for Training and Hosting with AWS Key Management Service (KMS).
AWS KMS gives you centralized control over the encryption keys used to protect your data. You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data. You specify a KMS Key ID when you create Amazon SageMaker notebook instances, training jobs or endpoints. The attached ML storage volumes are encrypted with the specified key. You can specify an output Amazon S3 bucket for training jobs that is also encrypted with a key managed with KMS, and pass in the KMS Key ID for storing the model artifacts in that output S3 bucket.
AWS KMS-based encryption for Amazon SageMaker is available today in the US East (N. Virginia & Ohio), EU (Ireland) and US West (Oregon) AWS regions. Visit the Amazon SageMaker documentation to learn more about how to specify a KMS Key ID with Amazon SageMaker CreateNotebookInstance, CreateTrainingJob and CreateEndpointConfig APIs.